AWS fedramp documentation change
Summary
Expanded IAM policy documentation with role-based guides, testing procedures, and policy details
Security assessment
Significantly enhances least-privilege IAM documentation but doesn't fix vulnerabilities. Adds security feature documentation including MFA requirements, permission boundaries, and testing procedures to prevent misconfiguration.
Diff
diff --git a/fedramp/latest/userguide/amazon-aurora-mysql.md b/fedramp/latest/userguide/amazon-aurora-mysql.md index 93e5dd421..62356a587 100644 --- a//fedramp/latest/userguide/amazon-aurora-mysql.md +++ b//fedramp/latest/userguide/amazon-aurora-mysql.md @@ -448 +448,47 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL -**Read Only Policy:** +### Policy Selection Guide + +Choose the appropriate policy based on your role: + +Policy | Use Case | MFA Required +---|---|--- +Read Only | Auditors, compliance reviewers, monitoring dashboards | No +Operator | Day-to-day operators managing resources | Yes +Administrator | Service administrators with full management access | Yes (1-hour max) + +### Read Only Policy + +**Use this for:** Auditors, compliance reviewers, monitoring dashboards + +**Grants access to:** + + * View resource configurations + + * List resources + + * Describe resource details + + + + +**Does NOT grant:** + + * Create or modify resources + + * Delete resources + + * Change configurations + + + + +**Testing this policy:** + + + # Verify read access works + aws rds describe-db-instances + aws rds describe-db-clusters + + # Verify write access is denied (should fail) + aws rds modify-db-instance --db-instance-identifier test-db + +**Policy JSON:** @@ -466 +512,36 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL -**Operator Policy:** +### Operator Policy + +**Use this for:** Day-to-day operators managing resources + +**Grants access to:** + + * All read-only permissions + + * Create and modify resources + + * Perform operational tasks + + + + +**Does NOT grant:** + + * Delete critical resources + + * Change security configurations + + * Manage access policies + + + + +**Testing this policy:** + + + # Verify operator access works (requires MFA) + aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --apply-immediately + + # Verify admin access is denied (should fail) + aws rds delete-db-cluster --db-cluster-identifier <cluster-id> + +**Policy JSON:** @@ -492 +573,32 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL -**Administrator Policy:** +### Administrator Policy + +**Use this for:** Service administrators with full management access + +**Grants access to:** + + * All operator permissions + + * Delete resources + + * Manage access policies + + * Configure security settings + + + + +**Requires:** + + * MFA with maximum 1-hour session duration + + + + +**Testing this policy:** + + + # Verify full admin access works (requires MFA) + aws rds create-db-cluster --db-cluster-identifier new-cluster --engine aurora-mysql + aws rds delete-db-cluster --db-cluster-identifier old-cluster --skip-final-snapshot + +**Policy JSON:**